Authorizing anonymous access to Azure resources is security-sensitive

intentionality - complete

security

Security Hotspot

MajorSonarSource default severity
click to learn more

Allowing anonymous access can reduce an organization’s ability to protect itself against attacks on its Azure resources.

Security incidents may include disrupting critical functions, data theft, and additional Azure subscription costs due to resource overload.

Using authentication coupled with fine-grained authorizations helps bring defense-in-depth and bring traceability to investigators of security incidents.

Depending on the affected Azure resource, multiple authentication choices are possible: Active Directory Authentication, OpenID implementations (Google, Microsoft, etc.) or native Azure mechanisms.

Ask Yourself Whether

This Azure resource is essential for the information system infrastructure.
This Azure resource is essential for mission-critical functions.
This Azure resource stores or processes sensitive data.
Compliance policies require access to this resource to be authenticated.

There is a risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

Enable authentication in this Azure resource, and disable anonymous access.

If only Basic Authentication is available, enable it.

Sensitive Code Example

For App Service:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Web/sites",
            "apiVersion": "2022-03-01",
            "name": "example"
        }
    ]
}

resource appService 'Microsoft.Web/sites@2022-09-01' = {
    name: 'example'
    // Sensitive: no authentication defined
}

For API Management:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.ApiManagement/service",
            "apiVersion": "2022-09-01-preview",
            "name": "example"
        }
    ]
}

resource apiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = {
    name: 'example'
    // Sensitive: no portal authentication defined

    resource apis 'apis@2022-09-01-preview' = {
        name: 'exampleApi'
        properties: {
            path: '/test'
            // Sensitive: no API authentication defined
        }
    }
}

For Data Factory Linked Services:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.DataFactory/factories/linkedservices",
            "apiVersion": "2018-06-01",
            "name": "example",
            "properties": {
                "type": "Web",
                "typeProperties": {
                    "authenticationType": "Anonymous"
                }
            }
        }
    ]
}

resource linkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
    name: 'example'
    properties: {
        type: 'Web'
        typeProperties: {
            authenticationType: 'Anonymous' // Sensitive
        }
    }
}

For Storage Accounts and Storage Containers:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2022-09-01",
            "name": "example",
            "properties": {
                "allowBlobPublicAccess": true
            }
        }
    ]
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
    name: 'example'
    properties: {
        allowBlobPublicAccess: true // Sensitive
    }
}

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2022-09-01",
            "name": "example",
            "resources": [
                {
                    "type": "blobServices/containers",
                    "apiVersion": "2022-09-01",
                    "name": "blobContainerExample",
                    "properties": {
                        "publicAccess": "Blob"
                    }
                }
            ]
        }
    ]
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
    name: 'example'

    resource blobService 'blobServices@2022-09-01' = {
        name: 'default'

        resource containers 'containers@2022-09-01' = {
            name: 'exampleContainer'
            properties: {
                publicAccess: 'Blob' // Sensitive
            }
        }
    }
}

For Redis Caches:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Cache/redis",
            "apiVersion": "2022-06-01",
            "name": "example",
            "properties": {
                "redisConfiguration": {
                    "authnotrequired": "true"
                }
            }
        }
    ]
}

resource redisCache 'Microsoft.Cache/redis@2023-04-01' = {
    name: 'example'
    location: location
    properties: {
        redisConfiguration: {
            authnotrequired: 'true' // Sensitive
        }
    }
}

Compliant Solution

For App Services and equivalent:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Web/sites",
            "apiVersion": "2022-03-01",
            "name": "example",
            "resources": [
                {
                    "type": "config",
                    "apiVersion": "2022-03-01",
                    "name": "authsettingsV2",
                    "properties": {
                        "globalValidation": {
                            "requireAuthentication": true,
                            "unauthenticatedClientAction": "RedirectToLoginPage"
                        }
                    }
                }
            ]
        }
    ]
}

resource appService 'Microsoft.Web/sites@2022-09-01' = {
    name: 'example'

    resource authSettings 'config@2022-09-01' = { // Compliant
        name: 'authsettingsV2'
        properties: {
            globalValidation: {
                requireAuthentication: true
                unauthenticatedClientAction: 'AllowAnonymous'
            }
            platform: {
                enabled: true
            }
        }
    }
}

For API Management:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.ApiManagement/service",
            "apiVersion": "2022-09-01-preview",
            "name": "example",
            "resources": [
                {
                    "type": "portalsettings",
                    "apiVersion": "2022-09-01-preview",
                    "name": "signin",
                    "properties": {
                        "enabled": true
                    }
                },
                {
                    "type": "apis",
                    "apiVersion": "2022-09-01-preview",
                    "name": "exampleApi",
                    "properties": {
                        "authenticationSettings": {
                            "openid": {
                                "bearerTokenSendingMethods": ["authorizationHeader"],
                                "openidProviderId": "<an OpenID provider ID>"
                            }
                        }
                    }
                }
            ]
        }
    ]
}

resource apiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = {
    name: 'example'

    resource portalSettings 'portalsettings@2022-09-01-preview' = {
        name: 'signin'
        properties: {
            enabled: true // Compliant: Sign-in is enabled for portal access
        }
    }

    resource apis 'apis@2022-09-01-preview' = {
        name: 'exampleApi'
        properties: {
            path: '/test'
            authenticationSettings: { // Compliant: API has authentication enabled
                openid: {
                    bearerTokenSendingMethods: ['authorizationHeader']
                    openidProviderId: '<an OpenID provider ID>'
                }
            }
        }
    }
}

For Data Factory Linked Services:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.DataFactory/factories/linkedservices",
            "apiVersion": "2018-06-01",
            "name": "example",
            "properties": {
                "type": "Web",
                "typeProperties": {
                    "authenticationType": "Basic"
                }
            }
        }
    ]
}

@secure()
@description('The password for authentication')
param password string

resource linkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
    name: 'example'
    properties: {
        type: 'Web'
        typeProperties: {
            authenticationType: 'Basic' // Compliant
            username: 'test'
            password: {
                type: 'SecureString'
                value: password
            }
        }
    }
}

For Storage Accounts:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2022-09-01",
            "name": "example",
            "properties": {
                "allowBlobPublicAccess": false
            }
        }
    ]
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  name: 'example'
  properties: {
    allowBlobPublicAccess: false // Compliant
  }
}

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2022-09-01",
            "name": "example",
            "resources": [
                {
                    "type": "blobServices/containers",
                    "apiVersion": "2022-09-01",
                    "name": "blobContainerExample",
                    "properties": {
                        "publicAccess": "None"
                    }
                }
            ]
        }
    ]
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
    name: 'example'

    resource blobService 'blobServices@2022-09-01' = {
        name: 'default'

        resource containers 'containers@2022-09-01' = {
            name: 'exampleContainer'
            properties: {
                publicAccess: 'None' // Compliant
            }
        }
    }
}

For Redis Caches:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Cache/redis",
            "apiVersion": "2022-06-01",
            "name": "example",
            "properties": {
                "redisConfiguration": {}
            }
        }
    ]
}

resource redisCache 'Microsoft.Cache/redis@2023-04-01' = {
    name: 'example'
    location: location
    properties: {
        redisConfiguration: {
            // Compliant: authentication is enabled by default
        }
    }
}

See

CWE - CWE-668 - Exposure of Resource to Wrong Sphere

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted